Identity and Access Management

Sep 16, 2024

Take quiz

Lecture Notes: Identity and Access Management (IAM)

Introduction

  • IAM is crucial for managing access to data across various systems and locations.
  • Applications run on:
    • Desktop computers
    • Laptop devices
    • Mobile devices
  • Data storage locations:
    • Local devices
    • Data centers
    • Cloud
  • Different users access data in varied ways:
    • Employees
    • Vendors
    • Contractors
    • Customers

IAM Process

  • Start: User needs access.
  • End: Access is removed.
  • Changes to permissions may occur during onboarding, offboarding, or job changes.

Access Control

  • Assigns appropriate permissions to users.
  • Factors in authentication and authorization:
    • Username, password, other authentication factors
  • Log and monitor data access for security and possibly regulatory compliance.

User Account Management

  • Creation and deactivation of user accounts.
  • User attributes include:
    • Name
    • Group permissions
    • Application access permissions

Principles of IAM

  • Assign permissions necessary for job function only.
  • Mandatory Access Control (MAC): Use groups for rights and permissions.
  • Restrict system-level access to prevent unauthorized changes.

Identity Proofing

  • Verifies user's identity during account creation.
  • Involves resolution and attestation processes.
  • Methods:
    • Government documents (passport, driver's license)
    • Automated verification (credit reports, security questions)

Authentication Methods

  • Centralized Authentication:
    • User provides credentials to an authentication server.
    • Single Sign-On (SSO) simplifies access across multiple resources.

Protocols

  • LDAP (Lightweight Directory Access Protocol):
    • Access directories, based on X.500 specification.
    • Uses distinguished names and directory information tree.
  • SAML (Security Assertion Markup Language):
    • Third-party user authentication.
    • Involves client, resource server, and authorization server.
    • Generates SAML tokens for access.
  • OAuth:
    • Modern, mobile-friendly authorization framework.
    • Often paired with OpenID for authentication.

Federation

  • Allows login without creating a local account.
  • Uses third-party authentication databases (e.g., Twitter, Facebook).
  • Requires established relationships between service providers.

Interoperability Considerations

  • Ensuring various technologies work together is vital.
  • Decisions may depend on current and future organizational resources and goals.
  • Example: LDAP for VPN concentrator authentication or OAuth for application authorization.

Conclusion

  • Organizations need to choose technologies that align with their infrastructure and future plans.